Yes, the VPN Filter was the solution to the problem. Thank you guys of your help.
Regards, Antonio Soares, CCIE #18473 (R&S/SP) <mailto:[email protected]> [email protected] <http://www.ccie18473.net> http://www.ccie18473.net From: Fawad Khan [mailto:[email protected]] Sent: terça-feira, 27 de Setembro de 2011 02:21 To: Antonio Soares Cc: Piotr Matusiak; CCIE Security Maillist Subject: Re: [OSL | CCIE_Security] SSL VPN and RRI Antonio, I think you have guessed it right, i.e. VPN-Filter under group-policy. I usually put something like following in the vpn-filter acl. access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 gt 1023 192.168.x.x 255.255.0.0 eq XYZ. where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core network/dmz/lan and XY is any service. the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN address in your case) would always act as a source, even though there would be a chance that inside/core user would access any service on the remote address. For example, if you want to enable remote desktop functionatility from your core to the ssl users then the vpn-filter acl would like the following in addition to regular OUTBOUND ACL on the inside interface. access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 eq 3389 192.168.x.x 255.255.0.0 gt 1023 see page 9 of the following link. http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf FNK. On Mon, Sep 26, 2011 at 8:13 AM, Antonio Soares <[email protected]> wrote: It seems we need the vpn-filter defined. We have split-tunneling but we dont have the vpn-filter. I will update this topic after the tests we will be performing today. Regards, Antonio Soares, CCIE #18473 (R&S/SP) [email protected] http://www.ccie18473.net From: Piotr Matusiak [mailto:[email protected]] Sent: sexta-feira, 23 de Setembro de 2011 16:47 To: Antonio Soares Cc: CCIE Security Maillist Subject: Re: [OSL | CCIE_Security] SSL VPN and RRI Does you customer use Split Tunneling 'include' or 'exclude' policy? Are there ST routes in Route Detail Tab of AC Statistics window? Finally, can you paste sanitized config? Regards, Piotr 2011/9/23 Antonio Soares <[email protected]> Hello Piotr, Yes, basically it doesnt work as expected. The end user adds static routes (Windows route add) and is able to access these networks. The ASA version is a little old (8.2.1), do you think this could be a bug ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) <mailto:[email protected]> [email protected] http://www.ccie18473.net From: Piotr Matusiak [mailto:[email protected]] Sent: sexta-feira, 23 de Setembro de 2011 15:38 To: Antonio Soares Cc: CCIE Security Maillist Subject: Re: [OSL | CCIE_Security] SSL VPN and RRI Hi Antonio, It seems like Split tunneling does not work. Am I understand it correctly? Regards, Piotr 2011/9/23 Antonio Soares <[email protected]> Hello group, Need help on this one. A customer has SSL VPN configured with RRI. Customer is saying that it works fine but if the end user add statically more routes to the client machine, the client machine has access to the additional routes. This should not be happening. The ASA is running 8.2.1. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) [email protected] http://www.ccie18473.net _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
